Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

CRM — Vulnerabilities & Security Advisories 78

All 78 CVE vulnerabilities found in CRM, with AI-generated Chinese analysis, references, and POCs.

Vendor: oroinc

CVE IDTitleCVSSSeverityPaused
CVE-2026-39318 ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php CWE-89 8.8 High2026-04-07
CVE-2026-39335 ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls CWE-79 6.1 Medium2026-04-07
CVE-2026-35576 ChurchCRM has Stored Cross-Site Scripting (XSS) in Person Properties via PrintView.php CWE-79 8.7 High2026-04-07
CVE-2026-35575 ChurchCRM has Stored XSS in Group Name CWE-79 8.0 High2026-04-07
CVE-2026-35572 SSRF via Referer header in ChurchCRM allows server-side HTTP/HTTPS requests to arbitrary hosts CWE-918 7.1AIHighAI2026-04-07
CVE-2026-35573 ChurchCRM has a Path traversal leads to RCE CWE-22 9.1 Critical2026-04-07
CVE-2026-35574 ChurchCRM has a Stored XSS in Person Profile - Add a Note CWE-79 7.3 High2026-04-07
CVE-2026-35534 ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection CWE-79 7.6 High2026-04-07
CVE-2026-32880 ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php CWE-79 6.4 Medium2026-03-20
CVE-2026-26059 ChurchCRM has Stored Cross-Site Scripting (XSS) in GroupEditor.php CWE-79 5.4 -2026-02-19
CVE-2026-24855 ChurchCRM has Stored Cross-Site Scripting (XSS) in Create Events in Church Calendar, Leading to Account Takeover CWE-79 5.4AIMediumAI2026-01-30
CVE-2026-24854 Church CRM has SQL injection in PaddleNumEditor.php CWE-89 8.8 High2026-01-30
CVE-2021-47779 Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation CWE-79 5.4 Medium2026-01-15
CVE-2025-68928 Frappe CRM vulnerable to authenticated XSS via website field CWE-79 5.4 Medium2025-12-29
CVE-2025-68275 ChurchCRM vulnerable to Stored XSS - Group name > Person Listing CWE-79 5.4AIMediumAI2025-12-17
CVE-2025-68401 ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft and account takeover CWE-79 7.6AIHighAI2025-12-17
CVE-2025-68400 ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php CWE-89 8.8AIHighAI2025-12-17
CVE-2025-68399 ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php CWE-79 5.4AIMediumAI2025-12-17
CVE-2025-68112 ChurchCRM has SQL injection in EditEventAttendees.php CWE-89 9.6 Critical2025-12-17
CVE-2025-68111 ChurchCRM has SQL Injection in eGive Import Feature CWE-89 7.2 High2025-12-17
CVE-2025-68110 ChurchCRM discloses database information on error message CWE-200 10.0 Critical2025-12-17
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality CWE-78 9.1 Critical2025-12-17
CVE-2025-67877 ChurchCRM SQL Injection Vulnerability CWE-89 8.8AIHighAI2025-12-17
CVE-2025-67876 ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking CWE-79 5.4AIMediumAI2025-12-17
CVE-2025-67875 ChurchCRM has stored XSS via Person Property Assignment Leading to Admin Session Hijacking CWE-79 7.6AIHighAI2025-12-17
CVE-2025-66397 ChurchCRM's Kiosk Manager Functions are vulnerable to Broken Access Control CWE-284 8.3 High2025-12-17
CVE-2025-66396 ChurchCRM has SQL Injection in User Editor via `type` Parameter Key CWE-89 7.2 High2025-12-17
CVE-2025-66395 SQL Injection in Event List via `WhichType` Parameter CWE-89 8.8 High2025-12-17
CVE-2025-62521 ChurchCRM has unauthenticated RCE in its Install Wizard CWE-94 10.0 Critical2025-12-17
CVE-2025-67751 ChurchCRM has SQL Injection in Event Editor via `EN_tyid` Parameter caused by an Incomplete Fix CWE-89 7.2 High2025-12-16

All 78 known CVE vulnerabilities affecting CRM with full Chinese analysis, references, and POCs where available.